Rightscale Webinar: PCI in Public Cloud

  • Published on

  • View

  • Download

Embed Size (px)


  1. 1. PCI in Public Cloud It can be doneSeptember 20, 2012 Watch the video of this webinar #rightscale
  2. 2. 2#Your Panel TodayPresenting Phil Cox, Director, Security and Compliance, RightScale Brian Adler, Professional Services Architect, RightScaleQ&A Ryan Geyer, Cloud Solutions Engineer, RightScale Greg Goodwin, Account Manager, RightScalePlease use the Questions window to ask questions any time! #rightscale
  3. 3. 3#Agenda Who I am and why am I speaking about this? Brief introduction to the PCI-DSS Working premise for my PCI environment Core foundations to PCI in Public Cloud Overview of the 12 Requirements and how they apply in thePublic Cloud #rightscale
  4. 4. 4#Introduction A follow on to the blog (http://blog.rightscale.com/pci) Practical advice from years of experience as a QSA, now a merchant Major contributor to PCI Virtualization supplement Member of PCI Cloud SIG #rightscale
  5. 5. 5#PCI DSS Background Card brands wanted consistency Payment Card Industry Security Standards Council (PCI SSC)was created Develop the Data Security Standard (DSS) 12 Top Level Requirements https://www.pcisecuritystandards.org/documents/PCI%20SSC%20- %20Getting%20Started%20with%20PCI%20DSS.pdf Each of the card brands have validation requirements 3rd party assessments (QSA) Self Assessment Questionnaire#rightscale
  6. 6. 6#PCI DSS SummaryGoals PCI DSS RequirementsBuild and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other securityparametersProtect Cardholder Data 3. Protect stored data4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data10. Track and monitor all access to network resources and cardholder dataRegularly Monitor and Test Networks11. Regularly test security systems and processesMaintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel#rightscale
  7. 7. 7#PCI & Public Cloud: Whats the big deal? There is no clear guidance from the PCI SSC as to how the 12Requirements and subsequent controls are to be met and validated incloud environments The Virtualization Guidance gave us some basis, but did not addresseverything Many folks still unclear not only about IF but HOW when it comesto running a PCI compliant environment on a public cloud#rightscale
  8. 8. 8#Working Premise Systems that Store, Process, or Transmit cardholder data are locatedin a public cloud provider No other managed hosting or physical system in the design The application is structured into 3 tiers: Load balancer App server DB server. Development and test are separate (i.e., isolated) and have NOcardholder data The design only deals with production systems #rightscale
  9. 9. 9#Foundation Public cloud provider Assessor Application design Harden the systems#rightscale
  10. 10. 10#Public Cloud Provider Is on Approved Service Providers list (i.e., completed level 1) *OR*has done a Level 2 assessment and can show you their validationresults Many providers go through the rigor of ensuring compliance internally, but not the cost of hiring an external QSA Do not dismiss a potential partner because they are not on the list. If you are going to dismiss them, do it because they are not transparent. Will sign a contract that states they must protect CHD in accordancewith PCI DSS to the extent it applies to them#rightscale
  11. 11. 11#Assessor About the Qualified Security Assessor (QSA), you need to find one that knows cloud technology A good default choice is the QSA who did the assessment for your provider If you dont want/need to use an external auditor, then determine ifyou have the knowledge internally You need to make sure you have the depth of knowledge on the PCI DSS, as you will likely get it wrong if they do not#rightscale
  12. 12. 12#Application Design Your ability to achieve PCI compliance in the public cloud is primarilybased on how much forethought you gave to the application in itsdesign Most providers, and all cloud-based operating systems can be PCIcompliant. The same cannot be said for all applications Ask the following questions: What data am I storing? Why? Can I get away without it? Do I know the communication flow of the application? Can I restrict communications to specific system roles? Am I using well-known, public vetted cryptography standards? #rightscale
  13. 13. 13#Application Guidelines Here are guidelines I have used to ensure an application issecurable from a PCI perspective:1. Do not store the Primary Account Number (PAN) if you do not need it. Many payment processors have mechanisms for recurring billing or credits. Depending on your situation, it is highly likely that you do not need to store the PAN, thus making your life significantly easier from a PCI DSS compliance standpoint.2. If you are going to store PAN, then the design of crypto mechanism and, more importantly, the key management of data in the DB, is critical This is really not a cloud thing, and is dealt with in any PCI application that stores CHD.#rightscale
  14. 14. 14#Application Guidelines (cont.)3. Terminate SSL/TLS at the load balancer and run all other traffic over the private interface/network This assumes that the private interfaces have been designed to meet the definition of non-public as far as PCI DSS This is the case with Amazon Web Services. Traffic between the private IP addresses can be considered a private network and not require encryption. This does not mean that you cant or shouldnt do it, just that you do not have to in order to meet PCI DSS requirements.4. Validate all user input While this is not a cloud issue, it is THE main intrusion vectorYep, thats pretty much it: Protect it in transit/at rest (if needed) & Testfor bad code It is not rocket science, but most folks dont do these right#rightscale
  15. 15. 15#Harden the Systems Protect the system Firewalls (remember ingress and egress) Change defaults Install patches Watch the system for odd behavior or changes Shout out to CloudPassage Manage the firewall rules and separation of duty that PCI DSS requires, and will make achieving compliance much easier. I recommend using a public cloud management solution. Trying to dothis by hand is error-prone.#rightscale
  16. 16. 16#Determining Scope I use the Open PCI Scoping Toolkit as the framework It is the work of 50+ experts in the PCI field It is NOT endorsed by the PCI SSC, but they have provided noalternative to the tough questions it answers Get it at http://itrevolution.com/pci-scoping-toolkit/ #rightscale
  17. 17. 17#DecisionTree #rightscale
  18. 18. PCI DSS Requirements #rightscale
  19. 19. 19#PCI and Cloud Snapshot Those that need special consideration because of cloud: 1, 3, 9, 10, 11, 12 (orange) Those that are more about HOW than WHAT: 2, 4, 5, 6, 7, 8 (blue)#rightscale
  20. 20. 20#Cloud Provider Responsibility Everything up to and including the hypervisor All physical aspects of the remote systems#rightscale
  21. 21. 21#Requirement 1: Firewalls Design the application and communications flows so they can besecured The state of networking features in cloud have an affect on how youprovide isolation for scoping Review/audit regularly to make sure design and implementationshave not changed One nice aspect of the cloud is that since automation is part of the DNA, automation of these reviews is easier#rightscale
  22. 22. 22#Requirement 2: Defaults Make sure to change the vendor supplied defaults RightScale ServerTemplates are a great way to enforce this, as well as provide version control of configurations The cloud actually helps you: Have to plan There is not throw in the CD, plug in the cable, and leave it Cloud should give you a leg up in this area, as this is part of CloudDNA so to speak#rightscale
  23. 23. 23#Requirement 3: Protect CHD Gets down to: Do not store what you dont need Good crypto selection Proper key management For non-DB-based encryption, use of a third party like TrendMicroSecureCloud (or similar) is a big help here Note: Cloud really is not an issue here, as you have many of the sameconcerns in a managed hosting environment. The main difference isbetween owned or third-party infrastructure. #rightscale
  24. 24. 24#Stored PAN Tangent Assume you store PAN in the DB Not tokenized, truncated, or hashed For most of us, you need to mask on display Per Requirement 3 if you store CHD, then you must encrypt Does your DB support it? If not, then have to do in App Use encrypted filesystem on block storage in addition Inject keys at instance launch Management of encryption keys is the big issue Rotation You need to plan on how to do this! Storage In memory is best, restricted filesystem is next best #rightscale
  25. 25. 25#Requirement 4: Encrypt transmission No huge difference between cloud or hosted here Biggest item is determining private vs. public networks SSL/TLS is the defacto way to do this#rightscale
  26. 26. 26#Requirement 5: AV and Malware Not much specific to a cloud deployment Servers come and go more frequently, so you need to make sure theAV solution is operating correctly If I had Windows systems for servers, Id be using RightScale ServerTemplates to make sure things were configured correctly Nice aspect of the cloud is that since automation is part of the DNA,automation of this should actually make it easier to meet therequirements#rightscale
  27. 27. 27#Requirement 6: Development & System Admin The what (securing systems) is not really a cloud specific problem,but the how is Need to deploy hardened systems RightScale ServerTemplates and built in versioning makes it easy and provides change tracking. You can choose how you want to do it, just do it Nice aspect of the cloud is that since automation is part of the DNA,automation of these should actually make it easier to meet therequirements #rightscale
  28. 28. 28#Requirements 7 & 8: Restrict Access & Users Again, not the What to do that is the issue, but How to do it Make sure you enforce it on EVERY system Role-Based Access Control (RBAC) and ServerTemplate features of RightScale and a strict provisioning policy to get this done. You can choose any method that works I use a combination of RightScale, policies, and regular audits. You canchoose any method that works Really no different than a hosted environment #rightscale
  29. 29. 29#Requirement 9: Physical You need to worry about user systems and any hard copy Really no different than a hosted environment #rightscale
  30. 30. 30#Requirement 10: Logging & Tracking Basically need host-based tools The lack of transparency into some of the devices you dont haveaccess to (e.g., hypervisor logs) needs to be taken into account I use RightScale to configure systems and send local system andapplication logs to central log server You can choose any method that works for you Use of a 3rd party is a BIG WIN here #rightscale
  31. 31. 31#Requirement 11: Testing Coordination with the CSP when doing testing may be something thatis new and require modification of your process Internal testing becomes a bit tricky I recommend: Automated tools - Continuous Internal experts Monthly or more 3rd party testing Annually While you can use a Web App Firewall (WAF), I prefer testing Use both if you can #rightscale
  32. 32. 32#Requirement 12: Governance The policies need to exist with or without the cloud. The biggestdifference here is ensuring appropriate language is included incontracts Biggest issues I run into: Ensure that if you share CHD with others, contracts state they must protect CHD in accordance with PCI DSS Have an incident response plan and make sure it works! #rightscale
  33. 33. 33#Contact RightScaleConclusion(866) 720-0208sales@rightscale.com You CAN be PCI-compliant in a public cloudwww.rightscale.com You need validation of your partners: Onto the list of PCI approved Service Providers *OR* Be transparent and willing to work with you to document their compliance adherence Management of cloud systems should be better than traditional You get lazy with what you know Tools can help, and IMO, RightScale is best of breed tool for this#rightscale